Skip to content
OnticBeta
Tier 3 — Best Practice

Internal Controls — Oracle Source

Publisher

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Version

v1

Last verified

February 15, 2026

Frameworks

COSO Internal Control — Integrated Framework (2013)

Industries

Applies to all industries

Internal Controls - Overview

Internal control is a process effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance [cite:298][cite:263]. The globally recognised framework for internal control is the COSO Internal Control — Integrated Framework, originally published in 1992 and updated in 2013 (COSO 2013), which codifies five interrelated components and 17 principles that must be present and functioning for an effective system of internal control [cite:295][cite:269]. Internal controls apply across all industries, organisation sizes, and governance contexts — from public company financial reporting (SOX Section 404) to government accountability, healthcare compliance, and operational risk management [cite:246][cite:262]. The framework is principles-based, allowing flexibility in design and implementation while requiring that all principles be addressed [cite:295][cite:298]. Internal controls encompass the policies, procedures, activities, and mechanisms — both manual and automated — that protect organisations from financial, operational, and strategic risks, ensure the accuracy of financial reporting, safeguard assets, and promote compliance with applicable laws and regulations [cite:264][cite:273].

Internal Controls - What It Is

Internal control, as defined by COSO 2013, is "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance" [cite:298][cite:272].

The COSO 2013 Internal Control — Integrated Framework is structured around three objective categories and five components [cite:298][cite:266]:

Three Objective Categories:

  • Operations — Effectiveness and efficiency of operations, including operational and financial performance goals and safeguarding assets
  • Reporting — Reliability, timeliness, and transparency of financial and non-financial reporting, both internal and external
  • Compliance — Adherence to applicable laws and regulations [cite:298][cite:263]

Five Components (with 17 Principles):

  1. Control Environment (Principles 1–5)
  2. Risk Assessment (Principles 6–9)
  3. Control Activities (Principles 10–12)
  4. Information and Communication (Principles 13–15)
  5. Monitoring Activities (Principles 16–17) [cite:269][cite:295]

For effective internal control, the 2013 Framework requires that each of the five components and all relevant principles are both present (existing in the design of the system) and functioning (operating as designed in practice) [cite:295][cite:298]. A deficiency in any one principle results in a deficiency in the associated component, which means the organisation cannot conclude that its system of internal control is effective [cite:295].

Internal Controls - Who It Applies To

Internal controls are relevant to virtually all organisations, though the specific requirements and enforcement mechanisms vary by context [cite:262][cite:246].

Mandated Application

  • U.S. public companies — SOX Sections 302 and 404 require CEO/CFO certification of disclosure controls and procedures, and management assessment of internal control over financial reporting (ICFR), with external auditor attestation for accelerated filers (PCAOB AS 2201) [cite:265][cite:301]
  • U.S. financial institutions — FDICIA Section 112 requires management assessment and auditor attestation of internal controls for insured depository institutions above asset thresholds
  • Government entities — Federal (OMB Circular A-123), state, and local government agencies are required to implement internal controls consistent with GAO's "Green Book" (Standards for Internal Control in the Federal Government), which incorporates COSO principles [cite:279][cite:246]
  • EU regulated entities — The EU's Corporate Sustainability Reporting Directive (CSRD) and Audit Directive require internal control over financial and sustainability reporting [cite:272]

Voluntary / Contractual Application

  • Private companies — Often implement internal controls to satisfy investors, lenders, or acquisition due diligence requirements, or in preparation for IPO [cite:273]
  • Nonprofits — Funders, grantors, and regulatory bodies may require internal controls over grant expenditures and financial reporting [cite:262]
  • Any organisation — Internal controls are a governance best practice for operational efficiency, fraud prevention, and risk management regardless of regulatory mandate [cite:264][cite:263]

Roles and Responsibilities

RoleResponsibility
Board of Directors / Audit CommitteeOversight of internal control system; setting tone at the top; monitoring management's design and operating effectiveness of controls [cite:246][cite:263]
ManagementDesign, implementation, and maintenance of the internal control system; conducting assessments; remediating deficiencies [cite:246][cite:298]
Internal AuditIndependent evaluation of internal control effectiveness; reporting findings to the audit committee; advising on control improvements [cite:246][cite:262]
External AuditorsAttesting to management's assessment of ICFR (where required); testing controls as part of the financial statement audit [cite:301][cite:267]
All PersonnelExecuting assigned control activities; reporting deficiencies and incidents [cite:298][cite:264]

Internal Controls - What It Requires - Control Environment (Component 1)

The control environment is the foundation of the entire internal control system — the "tone at the top" that shapes organisational culture around integrity, accountability, and governance [cite:263][cite:275].

Principles 1–5

  1. Demonstrates commitment to integrity and ethical values — The organisation demonstrates a commitment to integrity and ethical values through codes of conduct, ethics policies, and leadership behaviour that reinforces those standards [cite:269][cite:266]
  2. Exercises oversight responsibility — The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control [cite:269][cite:266]
  3. Establishes structure, authority, and responsibility — Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives [cite:269]
  4. Demonstrates commitment to competence — The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives [cite:269][cite:266]
  5. Enforces accountability — The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives [cite:269]

Key Elements

  • Organisational structure and reporting lines that enable effective oversight
  • Human resource policies governing hiring, training, evaluation, compensation, and termination
  • Assignment of authority and responsibility for control activities across all levels
  • Leadership philosophy and operating style that reinforces ethical behaviour
  • Board and audit committee independence, competence, and active engagement [cite:263][cite:258]

Internal Controls - What It Requires - Risk Assessment (Component 2)

Risk assessment is the process of identifying and analysing risks to the achievement of objectives as a basis for determining how risks should be managed [cite:263][cite:275].

Principles 6–9

  1. Specifies suitable objectives — The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives [cite:269][cite:266]
  2. Identifies and analyses risk — The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed [cite:269]
  3. Assesses fraud risk — The organisation considers the potential for fraud in assessing risks to the achievement of objectives, including fraudulent reporting, misappropriation of assets, and corruption [cite:269][cite:266]
  4. Identifies and analyses significant change — The organisation identifies and assesses changes that could significantly impact the system of internal control [cite:269]

Risk Assessment Process

A structured risk assessment follows these steps [cite:273][cite:275]:

  1. Define objectives — Establish clear operational, reporting, and compliance objectives against which risks are measured
  2. Identify risks — Catalogue internal and external risks that could prevent objectives from being achieved, including fraud risks
  3. Develop assessment criteria — Define consistent scales for likelihood and impact (e.g., high/medium/low or quantitative scoring)
  4. Analyse and score risks — Evaluate each identified risk against the criteria; methods include surveys, interviews, workshops, and benchmarking
  5. Prioritise risks — Rank risks by score and incorporate qualitative factors (reputational damage, safety, regulatory exposure)
  6. Determine risk response — Accept, avoid, reduce, or share each risk; design control activities to implement the chosen response

Risk assessment must be iterative — conducted at planned intervals and whenever significant changes occur in the business environment, operations, technology, or regulatory landscape [cite:275][cite:258].

Internal Controls - What It Requires - Control Activities (Component 3)

Control activities are the policies, procedures, and mechanisms that ensure management directives for risk mitigation are carried out [cite:263][cite:275].

Principles 10–12

  1. Selects and develops control activities — The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels [cite:269][cite:266]
  2. Selects and develops general controls over technology — The organisation selects and develops general control activities over technology to support the achievement of objectives [cite:269][cite:266]
  3. Deploys control activities through policies and procedures — The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action [cite:269]

Control Types by Function

TypePurposeExamples
PreventiveStop errors or fraud before they occurSegregation of duties, access controls (physical and logical), approval/authorisation workflows, pre-employment screening, system input validation, encryption [cite:264][cite:265]
DetectiveIdentify errors or irregularities after they occurReconciliations, exception reports, internal audits, physical inventory counts, variance analyses, log monitoring, SIEM alerts [cite:265][cite:264]
CorrectiveRemediate identified issues and prevent recurrencePatch management, policy/procedure updates, disciplinary actions, system configuration changes, retraining, incident response procedures [cite:265][cite:268]
CompensatingSubstitute for a primary control when it cannot be implementedAdditional supervisory review when segregation of duties is not feasible; enhanced monitoring when a preventive control is missing [cite:268]
DeterrentDiscourage undesirable actions through visible consequencesWarning signs, CCTV, penalty policies, audit trail visibility [cite:268]

Control Types by Nature

CategoryScopeExamples
Entity-level controlsOperate across the entire organisationCode of conduct, tone at the top, enterprise risk assessment, board/audit committee oversight, whistleblower programme [cite:265]
Process-level controlsOperate within specific business processesThree-way match in procure-to-pay, bank reconciliation, journal entry review, payroll approval [cite:265][cite:271]
IT General Controls (ITGCs)Govern the IT environment supporting all processesAccess management, change management, system development lifecycle, IT operations/backup/recovery [cite:292][cite:294]
IT Application ControlsEmbedded in specific applicationsInput validation, processing checks, output verification, automated calculations [cite:302][cite:294]

Key Control Activities

  • Segregation of duties (SoD) — No single individual should control all phases of a transaction (initiation, authorisation, recording, custody). SoD is the most fundamental preventive control [cite:265][cite:273]
  • Authorisation and approval — Transactions should be authorised by designated personnel within defined limits before execution [cite:264][cite:273]
  • Reconciliation — Regular comparison of records from independent sources (e.g., bank statements vs. general ledger) to identify and resolve discrepancies [cite:264][cite:271]
  • Physical safeguards — Restrict physical access to assets (cash, inventory, equipment, data centres) and conduct periodic counts against records [cite:264]
  • Documentation and record retention — Transactions must be properly documented, and records maintained in an organised, retrievable manner [cite:273]

Internal Controls - What It Requires - Information and Communication (Component 4)

Relevant, quality information must be identified, captured, and communicated in a form and timeframe that enable people to carry out their internal control responsibilities [cite:263][cite:275].

Principles 13–15

  1. Uses relevant information — The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control [cite:269]
  2. Communicates internally — The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control [cite:269]
  3. Communicates externally — The organisation communicates with external parties regarding matters affecting the functioning of internal control [cite:269]

Key Elements

  • Written corporate policies and procedures accessible to all relevant personnel
  • Clear communication of unit-level goals and objectives and individual responsibilities
  • Documented organisational charts, reporting lines, and escalation paths
  • Performance evaluation criteria that incorporate control responsibilities
  • Channels for reporting control deficiencies, incidents, and suspected fraud (including anonymous/confidential mechanisms)
  • External communication to regulators, auditors, customers, and other stakeholders regarding matters affecting controls [cite:275][cite:263]

Information systems — both financial and operational — must produce data that is timely, current, accurate, complete, accessible, and protected from unauthorised modification [cite:263].

Internal Controls - What It Requires - Monitoring Activities (Component 5)

Monitoring ensures that internal controls continue to operate as designed over time, and that deficiencies are identified and communicated for corrective action [cite:263][cite:275].

Principles 16–17

  1. Conducts ongoing and/or separate evaluations — The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning [cite:269]
  2. Evaluates and communicates deficiencies — The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate [cite:269]

Monitoring Methods

  • Ongoing monitoring — Built into routine operations: management supervision, automated exception reports, continuous monitoring dashboards, real-time alerts, and self-assessments by process owners [cite:276][cite:263]
  • Separate evaluations — Periodic, discrete assessments: internal audits, external audits, SOX walkthroughs, compliance reviews, and targeted control testing [cite:263][cite:267]
  • Deficiency reporting and remediation — Identified deficiencies (significant deficiency or material weakness) must be reported to appropriate levels of management and the board/audit committee, with root cause analysis and corrective action plans tracked to completion [cite:269][cite:276]

Testing Frequencies (Risk-Based)

Risk LevelRecommended Frequency
High-risk controlsMonthly or quarterly [cite:276]
Medium-risk controlsSemi-annual [cite:276]
Low-risk controlsAnnual with exception-based monitoring [cite:276]

Internal Controls - What It Requires - IT Controls (ITGCs and Application Controls)

IT controls are a critical subset of the internal control system that ensure technology operates securely, reliably, and in a manner that supports organisational objectives [cite:294][cite:292].

IT General Controls (ITGCs)

ITGCs are company-wide controls that govern the IT environment supporting all business processes and applications [cite:292][cite:294]. They are typically grouped into four categories:

  1. Access Controls (Logical Security) — User account provisioning/deprovisioning, role-based access, privileged access management, multi-factor authentication, periodic user access reviews, separation of duties in IT systems [cite:292][cite:297]
  2. Change Management — Documented change request, testing, approval, and implementation procedures for code, configurations, and infrastructure changes; segregation of development, testing, and production environments [cite:292][cite:297]
  3. IT Operations — Job scheduling, monitoring, backup and recovery procedures, incident management, disaster recovery testing [cite:292][cite:300]
  4. System Development Lifecycle (SDLC) — Standards for acquiring, developing, testing, and deploying new systems and applications; code review, security testing, and pre-production validation [cite:294][cite:297]

IT Application Controls

Application controls are specific to individual applications and ensure the integrity of data processed by those systems [cite:302][cite:294]:

  • Input controls — Validate data entered into the system (format checks, range checks, completeness checks, duplicate detection)
  • Processing controls — Verify data is processed correctly (automated calculations, batch totals, sequence checks, reasonableness tests)
  • Output controls — Validate information produced by the system (report distribution controls, reconciliation of output to input, access restrictions on reports) [cite:302]

ITGCs and application controls work together: ITGCs provide the trusted foundation, and application controls ensure accuracy within each application. If ITGCs are deficient (e.g., poor access controls or uncontrolled changes), the reliability of application controls cannot be assured [cite:292][cite:294].

Internal Controls - What It Requires - Testing and Evaluation

Internal control testing evaluates whether controls are designed effectively (design effectiveness) and operating as intended (operating effectiveness) [cite:270][cite:291].

Testing Methods

There are five primary testing methods, listed in ascending order of assurance strength [cite:291][cite:296][cite:301]:

  1. Inquiry — Asking personnel about processes, control operation, and exceptions. Provides the lowest level of assurance. Per PCAOB AS 2201 and AICPA guidance, inquiry alone is never sufficient to conclude on operating effectiveness [cite:296][cite:301]
  2. Observation — Watching processes and controls being performed in real time. Useful for controls with no documentation or automated controls. Provides evidence that a control was operating at a specific point in time [cite:293][cite:296]
  3. Inspection (Examination) — Reviewing documentation, reports, transactional records, and system configurations to determine whether controls were performed correctly and consistently [cite:293][cite:291]
  4. Reperformance — Independently re-executing the control using original data and procedures to verify the outcome. Provides the highest level of assurance among manual techniques [cite:291][cite:299]
  5. Computer-Assisted Audit Techniques (CAATs) — Using software tools to test automated controls, analyse entire data populations, and identify anomalies. Includes data extraction, recalculation, and automated testing scripts [cite:296]

Best practice requires a combination of methods — inquiry combined with inspection, observation, and/or reperformance — to obtain sufficient appropriate evidence [cite:301][cite:296].

Testing Process

The end-to-end testing process follows these steps [cite:270][cite:276][cite:291]:

  1. Create a control inventory — Document all key controls with their objectives, process owners, frequency, and classification (preventive/detective, manual/automated, ITGC/application)
  2. Prioritise controls for testing — Risk-rank controls based on financial materiality, regulatory requirements (SOX, GDPR, HIPAA, PCI), fraud risk, and business impact of control failure
  3. Design test procedures — Select the appropriate testing method(s) for each control type; define sample sizes, testing periods, and expected results
  4. Execute tests — Perform the testing procedures; document each test step, the evidence obtained, and the result
  5. Evaluate results — Determine whether the control is effective (no exceptions), has a deficiency (exception noted but not pervasive), or has a significant deficiency or material weakness (pervasive or systemic failure)
  6. Remediate and retest — For identified deficiencies, perform root cause analysis, implement corrective actions, and retest to confirm remediation effectiveness
  7. Report — Communicate findings to process owners, management, the audit committee, and (where applicable) external auditors and regulators [cite:270][cite:276]

Walkthrough Procedures

PCAOB AS 2201 requires walkthroughs as part of ICFR audits. A walkthrough traces a transaction from origination through processing to recording in the financial statements, using a combination of inquiry, observation, inspection, and reperformance at each step [cite:301][cite:267]. Walkthroughs confirm that controls are designed as documented and are implemented in practice [cite:301].

Internal Controls - Governance Implications

Internal controls are a governance mechanism — they translate board-level risk appetite and management directives into operationalised processes that provide assurance over objectives [cite:263][cite:246].

Organisational Governance

  • Board and audit committee oversight — COSO Principle 2 requires the board to exercise independent oversight of internal control. In practice, the audit committee reviews the internal control assessment, approves the internal audit plan, monitors remediation of deficiencies, and oversees external auditor interactions regarding ICFR [cite:269][cite:246]
  • Management accountability — Management is responsible for design, implementation, and ongoing assessment of internal controls. SOX Section 302 certifications and Section 404 assessments formalise this accountability for public companies [cite:298][cite:265]
  • Three Lines Model — Modern governance structures implement the IIA's Three Lines Model: (1) management as first line (owns and operates controls), (2) risk management and compliance functions as second line (oversee and advise), (3) internal audit as third line (independent assurance) [cite:262][cite:246]

Ontic BOM Mapping

  • model — AI/ML models that influence financial reporting, operational decisions, or compliance outcomes are subject to internal controls. Model risk management controls include validation, change management, performance monitoring, and access restrictions over model development and production environments. COSO Principle 11 (general controls over technology) directly applies to model governance infrastructure [cite:266][cite:292]
  • oracle — Authoritative data sources used for financial reporting, regulatory calculations, and operational decisions must be controlled: data integrity checks, reconciliations (Principle 10), access controls, and audit trails. Data governance controls ensure oracle reliability and prevent unauthorised modification [cite:275][cite:294]
  • ontology — Classification schemes for accounts, risk categories, transaction types, and organisational structures are foundational to control design. Inconsistent or poorly governed ontologies lead to misclassification, incomplete risk coverage, and reporting errors. Chart of accounts governance and master data management are core control activities [cite:263]
  • system_prompt — For AI systems operating in controlled processes (e.g., automated financial analysis, compliance screening, customer decisioning), prompt configurations that affect output must be governed under change management (ITGC), access control, and testing disciplines consistent with COSO Principles 10–12 [cite:292][cite:294]
  • gate — Internal controls are themselves gates: authorisation and approval controls (Principle 10), segregation of duties, access controls, and reconciliations are decision gates that prevent, detect, or correct issues before they propagate. Pre-deployment testing and post-implementation monitoring are temporal gates [cite:264][cite:270]
  • security — ITGCs (access management, change management, backup/recovery, encryption) form the security layer of the internal control system. Application controls protect data integrity within specific systems. Together they map directly to the security BOM component [cite:292][cite:297]
  • signed_client — Unique user identification, authentication, authorisation logs, and audit trails support non-repudiation and traceability of actions within controlled processes. COSO Principle 13 (relevant information) requires that audit evidence be sufficient and appropriate [cite:294][cite:296]

E/A/D Axis Integration

E/A/D AxisCOSO Component / PrincipleHallmarksEvidence
Ethical (E)Component 1 — Control Environment (Principles 1–5): commitment to integrity and ethical values, board independence, organisational structure, competence, accountabilityTone at the top, ethical standards, code of conduct, competence requirements, performance accountabilityBoard minutes, ethics policy attestations, competence assessments, disciplinary records, culture survey results [cite:269][cite:246]
Accountable (A)Component 2 — Risk Assessment (Principles 6–9), Component 3 — Control Activities (Principles 10–12), Component 4 — Information & Communication (Principles 13–15)Documented risk methodology, control design linked to risks, segregation of duties, IT general controls, relevant information flows, internal and external communicationRisk registers, control matrices, SOD analyses, ITGC documentation, information flow diagrams, communication protocols [cite:264][cite:275]
Defensible (D)Component 5 — Monitoring Activities (Principles 16–17): ongoing evaluations, separate evaluations, reporting of deficienciesContinuous monitoring, independent testing, deficiency tracking, remediation evidence, PCAOB AS 2201 complianceTesting results, deficiency logs, remediation tracking, management assertions, external audit reports, board reporting packages [cite:298][cite:292]

Internal Controls - Enforcement Penalties

Internal controls are not a standalone regulation — they are enforced through the regulatory frameworks that mandate them [cite:265].

SOX Enforcement (U.S. Public Companies)

ViolationConsequence
False SOX Section 302 certificationCivil penalties, officer/director bars; criminal fines up to $5M and imprisonment up to 20 years for willful violations (Section 906) [cite:265]
Material weakness in ICFRAdverse auditor opinion on internal controls; mandatory public disclosure; investor and market consequences; potential SEC enforcement [cite:301]
Failure to remediateContinued adverse opinions; increased audit scrutiny and fees; SEC enforcement actions; potential delisting [cite:265]

Notable Enforcement Examples

  • SEC enforcement routinely cites internal control failures as the root cause of financial reporting fraud. Actions include civil monetary penalties, disgorgement, and officer bars [cite:265]
  • PCAOB inspections cite audit firms for insufficient ICFR testing, driving increased testing requirements and audit costs across the industry [cite:301]
  • Restatements driven by material weaknesses result in stock price declines, increased cost of capital, and litigation exposure [cite:265]

Other Regulatory Contexts

  • FDICIA — Insured depository institutions above asset thresholds face regulatory consequences for internal control deficiencies, including enforcement actions by federal banking agencies
  • Government — GAO Yellow Book findings on internal control deficiencies in government audits can lead to restrictions on funding, increased oversight, and corrective action requirements [cite:279]
  • EU/International — Internal control failures can contribute to enforcement under GDPR (inadequate technical measures), NIS 2, and local corporate governance codes

Internal Controls - Intersection With Other Frameworks

The COSO Internal Control framework intersects with and is referenced by numerous regulatory, audit, and governance frameworks [cite:263][cite:283].

COSO Enterprise Risk Management (ERM)

COSO ERM (2017) extends the internal control framework into enterprise-wide risk management. Internal control is a subset of ERM — the control activities component directly supports risk response strategies identified through the ERM process. Organisations implementing ERM typically integrate internal control as the operational layer of risk treatment [cite:263][cite:283].

SOX / PCAOB AS 2201

SOX Section 404 requires management to assess ICFR effectiveness using a "suitable, recognised framework" — COSO 2013 is the universally accepted framework for this purpose in the U.S. [cite:265][cite:301]. PCAOB AS 2201 governs the external auditor's attestation on ICFR and references COSO principles for evaluating control design and operating effectiveness [cite:301].

COBIT

COBIT (Control Objectives for Information and Related Technologies) provides a detailed IT governance and management framework that operationalises COSO's technology-related principles (especially Principles 11 and 12). COBIT maps IT processes to business goals and COSO components, making it the primary framework for IT governance controls [cite:283][cite:292].

ISO 27001

ISO 27001's Annex A controls map extensively to COSO's ITGC and application control requirements. Organisations certified to ISO 27001 can leverage their ISMS controls as evidence of internal control effectiveness over information security [cite:292][cite:283].

Three Lines Model (IIA)

The Institute of Internal Auditors' Three Lines Model defines the roles of management (first line), risk/compliance functions (second line), and internal audit (third line) in maintaining internal controls. This governance model operationalises COSO Principles 2 (oversight), 5 (accountability), and 16–17 (monitoring) [cite:262][cite:246].

FrameworkTypeKey Relationship
COSO ERM (2017)Risk management frameworkInternal control is a subset; control activities implement risk responses [cite:263]
SOX / PCAOB AS 2201Regulation / audit standardCOSO 2013 is the accepted framework for SOX 404 ICFR assessment [cite:265][cite:301]
COBITIT governance frameworkOperationalises COSO technology principles; maps IT processes to COSO components [cite:283][cite:292]
ISO 27001Information security standardAnnex A controls map to COSO ITGCs; ISO certification provides internal control evidence [cite:292]
IIA Three Lines ModelGovernance modelDefines roles for control ownership, oversight, and independent assurance [cite:246]
NIST CSFCybersecurity frameworkCSF functions align with COSO risk assessment and control activity principles [cite:292]
COSO ICSR (2023)Sustainability reportingExtends COSO 2013 to internal control over sustainability reporting [cite:272]

Internal Controls - Recent Updates

COSO Internal Control over Sustainability Reporting (ICSR) — 2023

In March 2023, COSO published supplemental guidance applying the 2013 Internal Control — Integrated Framework to sustainability and ESG reporting, recognising that the same five-component, 17-principle model applies to non-financial reporting objectives [cite:272]. This guidance is increasingly relevant as organisations prepare for mandatory sustainability disclosures under the EU CSRD and SEC climate disclosure rules.

Increased Emphasis on IT Controls and Automation

Regulatory expectations for automated controls, continuous monitoring, and data analytics in control testing have intensified [cite:276][cite:292]. PCAOB inspection findings consistently cite insufficient testing of ITGCs, particularly around access management, change management, and segregation of duties in IT systems [cite:301][cite:265]. Organisations are increasingly adopting GRC platforms, robotic process automation (RPA), and continuous control monitoring tools to replace manual spreadsheet-based control management [cite:276].

AI and Emerging Technology Risks

COSO's principles-based framework applies to AI systems without amendment — AI-specific risks (model drift, bias, adversarial attacks, prompt injection, data poisoning) map to Principle 7 (identifies and analyses risk), Principle 8 (assesses fraud risk), and Principle 11 (general controls over technology) [cite:281][cite:292]. Organisations deploying AI in financial reporting, decision-making, or compliance processes must extend their internal control framework to cover AI-specific control objectives including model validation, training data governance, output monitoring, and human oversight [cite:292].

PCAOB and SEC Focus on ICFR Quality (2024–2025)

PCAOB inspection reports continue to identify deficiencies in auditors' testing of ICFR, particularly in the areas of IT general controls, management review controls, and revenue-related controls [cite:301]. SEC enforcement actions in 2024–2025 have targeted companies with disclosed material weaknesses that were not remediated in a timely manner, reinforcing the expectation that internal control deficiencies are treated with urgency

← Oracle LibraryChat with Goober →